cloudflare · axiapubsub · Apr 28, 2025 · Apr 29, 2025 · Apr 30, 2025 · Apr 30, 2025
diff --git a/apps/dns-analytic/.dev.vars.example b/apps/dns-analytic/.dev.vars.example
@@ -0,0 +1,3 @@
+CLOUDFLARE_CLIENT_ID=
+CLOUDFLARE_CLIENT_SECRET=
+CLOUDFLARE_API_TOKEN=
diff --git a/apps/dns-analytic/.eslintrc.cjs b/apps/dns-analytic/.eslintrc.cjs
@@ -0,0 +1,5 @@
+/** @type {import("eslint").Linter.Config} */
+module.exports = {
+	root: true,
+	extends: ['@repo/eslint-config/default.cjs'],
+}
diff --git a/apps/dns-analytic/README.md b/apps/dns-analytic/README.md
@@ -0,0 +1,93 @@
+# Model Context Protocol (MCP) Server + Cloudflare DNS API Endpoints
+
+This is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) server based on [MCP Server + Cloudflare OAuth](https://github.com/axiapubsub/mcp-server-cloudflare/tree/main/apps/workers-observability). In addition, this MCP server also introduces the tool functions to access DNS information from Cloudflare API Endpoints.
+
+You can use this as an example for how to integrate MCP server with [Cloudflare API](https://developers.cloudflare.com/api/).
+
+## Getting Started
+
+### For Production
+
+- Set secrets via Wrangler
+
+```bash
+wrangler secret put CLOUDFLARE_CLIENT_ID
+wrangler secret put CLOUDFLARE_CLIENT_SECRET
+wrangler secret put CLOUDFLARE_API_TOKEN
+```
+
+#### Set up a KV namespace
+
+- Create the KV namespace:
+  `wrangler kv:namespace create "OAUTH_KV"`
+- Update the Wrangler file with the KV ID
+
+#### Deploy & Test
+
+Deploy the MCP server to make it available on your workers.dev domain
+` wrangler deploy`
+
+Test the remote server using [Inspector](https://modelcontextprotocol.io/docs/tools/inspector):
+
+```
+npx @modelcontextprotocol/inspector@latest
+```
+
+Enter `https://mcp-cloudflare-staging.<your-subdomain>.workers.dev/sse` and hit connect. Once you go through the authentication flow, you'll see the Tools working:
+
+<img width="640" alt="image" src="https://github.com/user-attachments/assets/7973f392-0a9d-4712-b679-6dd23f824287" />
+
+You now have a remote MCP server deployed!
+
+#### Access the remote MCP server from Claude Desktop
+
+Open Claude Desktop and navigate to Settings -> Developer -> Edit Config. This opens the configuration file that controls which MCP servers Claude can access.
+
+Replace the content with the following configuration. Once you restart Claude Desktop, a browser window will open showing your OAuth login page. Complete the authentication flow to grant Claude access to your MCP server. After you grant access, the tools will become available for you to use.
+
+```
+{
+  "mcpServers": {
+    "cloudflare": {
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "https://<your-subdomain>.workers.dev/sse"
+      ]
+    }
+  }
+}
+```
+
+Once the Tools (under 🔨) show up in the interface, you can ask Claude to use them. For example: "Could you use the math tool to add 23 and 19?". Claude should invoke the tool and show the result generated by the MCP server.
+
+### For Local Development
+
+If you'd like to iterate and test your MCP server, you can do so in local development. This will require you to create another OAuth App and an API Token on Cloudflare:
+
+- Create a `.dev.vars` file in your project root with:
+
+```
+CLOUDFLARE_CLIENT_ID=your_development_cloudflare_client_id
+CLOUDFLARE_CLIENT_SECRET=your_development_cloudflare_client_secret
+CLOUDFLARE_API_TOKEN=your_development_cloudflare_api_token
+```
+
+#### Develop & Test
+
+Run the server locally to make it available at `http://localhost:8976`
+`wrangler dev`
+
+To test the local server, enter `http://localhost:8976/sse` into Inspector and hit connect. Once you follow the prompts, you'll be able to "List Tools".
+
+#### Using Claude and other MCP Clients
+
+When using Claude to connect to your remote MCP server, you may see some error messages. This is because Claude Desktop doesn't yet support remote MCP servers, so it sometimes gets confused. To verify whether the MCP server is connected, hover over the 🔨 icon in the bottom right corner of Claude's interface. You should see your tools available there.
+
+#### Using Cursor and other MCP Clients
+
+To connect Cursor with your MCP server, choose `Type`: "Command" and in the `Command` field, combine the command and args fields into one (e.g. `npx mcp-remote https://<your-worker-name>.<your-subdomain>.workers.dev/sse`).
+
+Note that while Cursor supports HTTP+SSE servers, it doesn't support authentication, so you still need to use `mcp-remote` (and to use a STDIO server, not an HTTP one).
+
+You can connect your MCP server to other MCP clients like Windsurf by opening the client's configuration file, adding the same JSON that was used for the Claude setup, and restarting the MCP client.
diff --git a/apps/dns-analytic/package.json b/apps/dns-analytic/package.json
@@ -0,0 +1,34 @@
+{
+	"name": "dns-analytic",
+	"version": "0.0.1",
+	"private": true,
+	"scripts": {
+		"check:lint": "run-eslint-workers",
+		"check:types": "run-tsc",
+		"deploy": "wrangler deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev",
+		"cf-typegen": "wrangler types",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.0.2",
+		"@hono/zod-validator": "0.4.3",
+		"@modelcontextprotocol/sdk": "1.9.0",
+		"@repo/mcp-common": "workspace:*",
+		"@repo/mcp-observability": "workspace:*",
+		"agents": "0.0.62",
+		"cloudflare": "4.2.0",
+		"hono": "4.7.6",
+		"zod": "3.24.2"
+	},
+	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "0.8.14",
+		"@cloudflare/workers-types": "4.20250414.0",
+		"@types/node": "22.14.1",
+		"prettier": "3.5.3",
+		"typescript": "5.5.4",
+		"vitest": "3.0.9",
+		"wrangler": "4.10.0"
+	}
+}
diff --git a/apps/dns-analytic/src/index.ts b/apps/dns-analytic/src/index.ts
@@ -0,0 +1,114 @@
+import OAuthProvider from '@cloudflare/workers-oauth-provider'
+import { McpAgent } from 'agents/mcp'
+import { env } from 'cloudflare:workers'
+
+import {
+	createAuthHandlers,
+	handleTokenExchangeCallback,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
+import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
+import { registerWorkersTools } from '@repo/mcp-common/src/tools/worker'
+
+import { MetricsTracker } from '../../../packages/mcp-observability/src'
+import { registerAnalyticTools } from './tools/analytic'
+
+import type { AccountSchema, UserSchema } from '@repo/mcp-common/src/cloudflare-oauth-handler'
+
+const metrics = new MetricsTracker(env.MCP_METRICS, {
+	name: env.MCP_SERVER_NAME,
+	version: env.MCP_SERVER_VERSION,
+})
+
+// Context from the auth process, encrypted & stored in the auth token
+// and provided to the DurableMCP as this.props
+export type Props = {
+	accessToken: string
+	user: UserSchema['result']
+	accounts: AccountSchema['result']
+}
+
+export type State = { activeAccountId: string | null }
+
+export class AnalyticMCP extends McpAgent<Env, State, Props> {
+	_server: CloudflareMCPServer | undefined
+	set server(server: CloudflareMCPServer) {
+		this._server = server
+	}
+
+	get server(): CloudflareMCPServer {
+		if (!this._server) {
+			throw new Error('Tried to access server before it was initialized')
+		}
+
+		return this._server
+	}
+
+	initialState: State = {
+		activeAccountId: null,
+	}
+
+	constructor(ctx: DurableObjectState, env: Env) {
+		super(ctx, env)
+	}
+
+	async init() {
+		this.server = new CloudflareMCPServer(this.props.user.id, this.env.MCP_METRICS, {
+			name: this.env.MCP_SERVER_NAME,
+			version: this.env.MCP_SERVER_VERSION,
+		})
+
+		registerAccountTools(this)
+
+		// Register Cloudflare Workers tools
+		registerWorkersTools(this)
+
+		// Register Cloudflare DNS Analytic tools
+		registerAnalyticTools(this)
+	}
+
+	getActiveAccountId() {
+		// TODO: Figure out why this fail sometimes, and why we need to wrap this in a try catch
+		try {
+			return this.state.activeAccountId ?? null
+		} catch (e) {
+			return null
+		}
+	}
+
+	setActiveAccountId(accountId: string) {
+		// TODO: Figure out why this fail sometimes, and why we need to wrap this in a try catch
+		try {
+			this.setState({
+				...this.state,
+				activeAccountId: accountId,
+			})
+		} catch (e) {
+			return null
+		}
+	}
+}
+
+const AnalyticScopes = {
+	'account:read': 'See your account info such as account details, analytics, and memberships.',
+	'user:read': 'See your user info such as name, email address, and account memberships.',
+	// 'workers:write':
+	// 	'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
+	// 'workers_observability:read': 'See observability logs for your account',
+	offline_access: 'Grants refresh tokens for long-lived access.',
+} as const
+
+export default new OAuthProvider({
+	apiRoute: '/sse',
+	// @ts-ignore
+	apiHandler: AnalyticMCP.mount('/sse'),
+	// @ts-ignore
+	defaultHandler: createAuthHandlers({ scopes: AnalyticScopes, metrics }),
+	authorizeEndpoint: '/oauth/authorize',
+	tokenEndpoint: '/token',
+	tokenExchangeCallback: (options) =>
+		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
+	// Cloudflare access token TTL
+	accessTokenTTL: 3600,
+	clientRegistrationEndpoint: '/register',
+})